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Abstract The security and performance of many integrity proof sys- 
tems like SNARKs, STARKs and Bulletproofs highly depend on the 
underlying hash function. For this reason several new proposals have re- 
cently been developed. These primitives obviously require an in-depth se- 
curity evaluation, especially since their implementation constraints have 
led to less standard design approaches. This work compares the security 
levels offered by two recent families of such primitives, namely GMIMC 
and HADESMIMC. We exhibit low-complexity distinguishers against the 
GMIMC and HADESMIMC permutations for most parameters proposed 
in recently launched public challenges for STARK-friendly hash func- 
tions. In the more concrete setting of the sponge construction corre- 
sponding to the practical use in the ZK-STARK protocol, we present a 
practical collision attack on a round-reduced version of GMIMC and a 
preimage attack on some instances of HADESMIMC. To achieve those re- 
sults, we adapt and generalize several cryptographic techniques to fields 
of odd characteristic. 


Keywords. Hash functions - integrity proof systems - Integral attacks - 
GMiMC - HadesMiMC. 


1 Introduction 


The emergence of cryptographic protocols with advanced functionalities, such as 
fully homomorphic encryption, multi-party computation and new types of proof 
systems, has led to a strong demand for new symmetric primitives offering good 
performance in the context of these specific applications. Indeed, as emphasized 
by Katz [26] in his invited lecture at CRYPTO 2019, symmetric-key cryptogra- 
phy has an important role to play in the further practical advancement of these 


applications. However, the standard criteria which govern the design of symmet- 
ric primitives are usually not appropriate in the context of these applications. 
For instance, the cost of the homomorphic evaluation of a symmetric primitive 
is mainly determined by its multiplicative size and depth [6]. Similarly, the area 
of integrity proof systems, like SNARKs, STARKs, Bulletproofs, is asking for 
symmetric primitives optimized for yet another cost metric. Moreover, the use 
of hash functions that are defined over finite fields of odd characteristic, in par- 
ticular over prime fields is desirable in many such applications. One example of 
such a use case is the zero-knowledge proof system deployed in the Zcash cryp- 
tocurrency. Another very interesting example is the ZK-STARK protocol [I3], 
which is expected to be deployed on top of the Ethereum blockchain within the 
next year: it uses as a building-block a collision-resistant hash function, and the 
performance of the proof system highly depends on the number of arithmetic 
operations required for describing the hash function (see [7] for details). 

Therefore, several new ciphers and hash functions have been proposed in the 
last five years for these advanced protocols. They include several FHE-friendly 
symmetric encryption schemes such as LOwMC [6], FLIP [31], KREyvium [20] 
and RASTA [22], some MPC-friendly block ciphers such as MIMC [5] and its 
variants [3/24], and some primitives dedicated to proof systems such as the func- 
tions from the MARVELLOUS family, including JARVIS, FRIDAY [8], VISION and 
RESCUE [7]. 

However, all these primitives are very innovative constructions and the im- 
plementation constraints which govern their designs may have introduced some 
unexpected weaknesses. This was the case for LOWMC, which was broken a few 
weeks after its publication [21/23/32]. More recently, a practical attack against 
JARVIS has been mounted [2], showing that some of these designs are probably 
not mature enough for practical applications and require a more in-depth secu- 
rity evaluation. In particular, several of these primitives are defined over an odd 
prime field, a setting in which most of the classical cryptanalytic tools, and there- 
fore also related security arguments, do not apply directly. This includes linear 
cryptanalysis and its variants, integral attacks and higher-order differential or 
cube attacks. 


Our contributions. This work analyses the security of two families of such prim- 
itives. To be concrete, we focus on the concrete proposals of STARK-friendly 
hash functions which have been specified in the context of a public competition 
launched by StarkWare Industried*| We aim to compare the security levels of- 
fered, for similar parameters, by two families of primitives: GMIMC and 
HADESMIMC [2425]. More precisely, we evaluate the resistance of these two 
primitives against several general types of attacks: attacks exploiting differen- 
tial properties, integral attacks and advanced algebraic attacks. As a result, we 
present low-complexity distinguishers against the GMIMC and HADESMIMC 
permutations for most parameters proposed in the challenges. In the more con- 
crete setting of the sponge construction corresponding to the practical use in 
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the ZK-STARK protocol, we describe a collision attack on a round-reduced ver- 
sion of GMIMC and a preimage attack on some instances of HADESMIMC. 
Our findings for the most efficient variants of the primitives are summarized in 
Table 

From a technical point, our results required to adapt and generalize several 
cryptanalytic techniques to fields of odd characteristic. In particular, for integral 
attacks, we demonstrate that instead of using sums over additive subgroups as 
usually done for ciphers over F}, it is possible to use any multiplicative subgroup 
of F% with similar impact. Interestingly, this seems to suggest that finite fields 
F, with a limited number of multiplicative subgroups might be preferable, i.e. 
one might want to avoid q — 1 being smooth. This implies that the fields which 
are suitable for implementing FFT may be more vulnerable to integral attacks. 
We expect that these general insights have applications beyond our concrete 
cryptanalytic results. 

An additional technical contribution of this paper is the use of algebraic 
techniques for ensuring that transitions of a differential characteristic for a hash 
function hold for many rounds without paying the typical expensive probabilistic 
cost. In particular, we exploit the algebraic structure of the hash function to 
penetrate deep into its state and represent the conditions for the differential 
transitions as algebraic equations that can be efficiently solved. We refer to 
these attacks as algebraically controlled differential attacks. Algebraic techniques 
have been previously used in combination with differential attacks (for example, 
in the recent cryptanalysis of SHA-1 [36]). However, unlike prior work, in our 
setting each differential transition is very expensive to bypass probabilistically. 
Hence, our attacks are almost entirely algebraic and use dedicated techniques to 
ensure that the algebraic equations can be efficiently solved. 


Organization of the paper. The following section describes the two STARK- 
friendly primitives considered in the paper and their concrete instances. Section [3] 
details how integral attacks can be mounted over finite fields of any character- 
istic. Following this new framework, Section [4] exhibits low-complexity integral 
distinguishers on the full GMIMC permutation. Several differential attacks on 
round-reduced GMIMC are then detailed in Section b] including a practical col- 
lision attack on the corresponding hash function. Section [6] presents two attacks 
on HADESMIMC: a general integral distinguisher covering all but two rounds 
of the permutation, and a preimage attack on the hash function which applies 
in the specific case where the MDS matrix defining the linear layer has a low 
multiplicative order. 


2 STARK-friendly primitives 


This paper focuses on two families of primitives, which are recent evolutions of 
the block cipher MIMC designed by Albrecht et al. in 2016 [5], and offer much 
more flexibility than the original construction: 


— GMIMC, designed by Albrecht et al. 


Primitive Rounds Attack 
(security) 














Type Rounds Cost Sect. 
GMIMC 101 permutation integral distinguisher 70 get 
(128 bits) ZS distinguisher 102 248 
ZS distinguisher 128 27? [4.2 
diff. distinguisher 64 2728 52] 
diff. distinguisher 66 practical 
hash function collisions 40 practical [5.4 
collisions 42 oe 5.4 
collisions 52 2. 5.4 
POSEIDON 8+40 permutation ZS distinguisher 6+45 pst 
(128 bits) 
GMIMC 186 permutation integral distinguisher 116 Je 
(256 bits) ZS distinguisher 206 2125 
ZS distinguisher 218 2250 
hash function collisions 50 pier 
POSEIDON 8+83 permutation ZS distinguisher 6+87 2125 
(256 bits) hash function“ preimages 8tany 2756 





Table 1: Distinguishers on the GMIMC and HADESMIMC permutations and 
attacks breaking the corresponding sponge hash functions. The variants aiming 
at 128-bit security operate on t = 12 elements in F, with q = 2°' + 20 x 2%? +1. 
The variants aiming at 256-bit security operate on t = 14 elements in F, with 
q = 215 + 266 x 254 + 1. The last attack (*) only applies when the linear layer 
has a low multiplicative order. Attacks on full versions are typeset in bold. 


— HapEsMIMC, proposed by Grassi et al. [24125], for which two versions 
are distinguished depending on the characteristic of the underlying field: 
STARKAD over a field of characteristic 2, and POSEIDON over a prime field. 


2.1 Expected security level 


GMIMC and HADESMIMC are two block ciphers but both of them can be 
turned into permutations by replacing the round-keys by fixed independent and 
randomly chosen round-constants. Based on these primitives, hash functions are 
obtained by applying the sponge construction depicted in Figure }1| and 
using the primitive as an inner permutation. 

In the following, we extensively use the following notation: the sponge oper- 
ates on a state composed of t elements in a finite field F,. The main parameters 
which determine the security level of the sponge construction with respect to 
generic attacks are its capacity c and the size of the underlying alphabet F4. 
Namely, a random sponge whose capacity consists of c elements in F, provides 
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Figure 1: Sponge construction with inner permutation 7, internal state with t = 
12 words and capacity c = 4. 


a generic security level corresponding to $ log, q queries both for collision and 
(second)-preimage resistance [14]. 

The primary cryptanalytic goal is to exhibit collision or preimage attacks on 
some weakened variants of the hash functions. However, the existence of a prop- 
erty which distinguishes a given cryptographic function from an ideal function of 
the same size is also commonly considered as a weakness (see e.g. [II] Page 19] 
for a discussion). In our context, since our attacks do not make any assump- 
tions about the round-constants in the inner permutations, our distinguishers 
are related to the known-key model for block ciphers [28]. 

While a distinguisher on 7 cannot always be turned into a distinguisher for 
the hash function, it invalidates the security arguments provided by the indiffer- 
entiability proof of the sponge construction . For this reason, the authors of 
KECCAK advocate following the so-called hermetic sponge strategy [I6] Page 13], 
i.e. using the sponge construction with an inner permutation that should not 
have any structural distinguisher (other than the existence of a compact de- 
scription). 


2.2 Concrete instances 


The different members in each of these families are determined by the triple 
(c,t, q) representing respectively the number of words in the capacity, the num- 
ber of words in the state and the field size. In the following, when referring to 
practical examples, we will focus on the values (c, t, q) considered in the Stark- 
Ware challenges given in Table [2 To each triple (c, t, q) correspond two variants: 
over a prime field and over a binary field, and the exact values of q are detailed in 
Table [2] Performance in terms of trace size, proving time, and verification cost, 
are essential criteria for choosing a STARK-friendly hash function. Implementa- 
tion results show that, for each family of hash functions, the variant 128-d (for 
the target 128-bit security) is by far the most efficient [35]. For this reason, some 
attacks in the paper focus more specifically on this member in the three families, 
i.e., on sponges whose internal state consists of t = 12 words in a finite field F, 

















Security level log, q q (prime) q (binary) c t Variant 
64 2° 4. 20 x 2% +1 a 4 12 128-d 
5 ; 5 2 4 128-a 
: 125 | + 64 125 
128 bits 128 2 266 x 2°° + 1 2 2 12 128-c 
1 3 128-b 
253 | 9199 255 
256 D 2e | 2 1 11 128-e 
5 4 8 256-a 
se 125 , 964 125 
256 bits 128 2° +266x2" +1 2 4 14 256-b 


Table 2: Parameters proposed for the permutation and sponge construction. 


of order close to 264 and with capacity c = 4. It is also worth noticing that, in 
terms of performance and suitability, odd prime fields are more STARK-friendly 
than binary fields for a given size. 


2.3 Specifications of GMIMC 


GMiMC is a family of block ciphers designed by Albrecht et al. in 2019 [3] based 
on different types of Feistel networks using x + x° over the field corresponding 
to the branch alphabet as the round function. Among the variants proposed 
by the designers, we focus on the one chosen in the StarkWare challenges and 
depicted in Figure |2| namely the variant using an unbalanced Feistel network 
with an expanding round function, named GMiMC.y. In the whole paper, the 
rounds (and round constants) are numbered starting from 1, and the branches 
are numbered from 1 to t where Branch 1 is the leftmost branch. For the sake 
of simplicity, this particular variant will be called GMIMC. A specificity of 
GMIMC is that the designers’ security claims concern the primitive instantiated 
over a prime field. They mention that “even if GMIMC can be instantiated over 
For, [they] do not provide the number of rounds to guarantee security in this 
scenario”. 

In the block cipher setting with a key size equal to n = log, q bits, the key 
schedule is trivial, i.e. the master key is added to the input of the cube function 
at every round. This very simple key schedule is a major weakness [18]. However, 
it seems difficult to leverage the underlying property in the hash function setting 
we are focusing on. 


2.4 Specifications of HADESMIMC 


HadesMiMC is a family of permutations described by Grassi et al. in which 
follows a new design strategy for block ciphers called HADES. The HADES 
construction aims to decrease the number of Sboxes relative to a traditional 
Substitution-Permutation Network, while guaranteeing that the cipher still re- 
sists all known attacks, including differential and linear cryptanalysis and alge- 
braic attacks. Reducing the number of Sboxes is especially important in many 
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Figure 2: One round of the GMiMC permutation with t = 12. 





































































































applications and this was traditionally achieved by using a partial substitution- 
layer, i.e., an Sbox layer which does not operate on the whole internal state. 
However, several attacks on this type of constructions, e.g. [22112332] show 
that it is much more difficult to estimate the security level of these construc- 
tions than that of classical SPNs. The basic principle of the HADES construction 
is then to combine both aspects: the inner rounds in the cipher have a partial 
Sbox layer to increase the resistance to algebraic attacks at a reduced implemen- 
tation cost, whereas the outer rounds consist of traditional SPN rounds, with a 
full Sbox layer. The resistance against statistical attacks is analyzed by removing 
the inner rounds, while the resistance to algebraic attacks, e.g. the evolution of 
the algebraic degree over the cipher, involves the inner rounds. 
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Figure 3: The HADESMIMC construction with t = 6. 


HADESMIMC [25] Section 3] is then a keyed permutation following the 
HADES construction dedicated to MPC applications or to STARK proof sys- 
tems, where the Sbox is defined by the cube mapping over a finite field and the 
linear layer L corresponds to a (t x t)-MDS matrix. Two concrete instantiations 
of HADESMIMC are then detailed by Grassi et al. in [24], namely: 


— STARKAD operates on t elements in a binary field of odd absolute degree 
(which guarantees that the cube mapping is bijective); 
— POSEIDON operates on t elements in a prime field F, with p mod 3 # 1. 


In both cases the partial rounds consist of a single Sbox operating on the last 
coordinate of the state. For all parameters we consider, the number of full rounds 
is equal to 8 and the number of partial rounds varies between 40 and 88. 


3 Integral attacks over fields of any characteristic 


The notion of integral attacks has been introduced by Knudsen and Wagner [29] 
and captures several variants including saturation attacks and higher-order dif- 
ferential attacks. These attacks have been used for cryptanalyzing many ciphers, 
but to our best knowledge, all of them operate on a binary field. Indeed, the main 
property behind these attacks is that, for any F : FZ’ — Fy and for any affine 


subspace V C F?, 
5 F(x)=0 


gEV 


when deg F < dim V. This comes from the fact that the sum of the images by F 
of all inputs in V corresponds to a value of a derivative of F of order (dim V) [80]. 
It follows that this derivative has degree at most (deg(F) — dim V) and thus 
vanishes when deg F < dim V. It is then possible to saturate some input bits 
of F and to use as a distinguishing property the fact that the output bits are 
balanced, i.e. they sum to zero. The fact that the sum over all x € V of F(x) 
corresponds to the value of a higher-order derivative does not hold anymore in 
odd characteristic, and the same technique cannot be applied directly. 

Higher-order differentials over Fy then need to use a generalized notion of 
differentiation as analyzed in (see also [1]). However, we can show that for 
the particular case of saturation attacks, the same technique can be used in the 
general case of a field F, — even in odd characteristic. Indeed, we can exploit the 
following result. 


Proposition 1. For any F :F, > Fy with deg(F) < q — 1, 


X F)= 0: 


xEF; 


Proof. The result is due to following well-known property: for any exponent k 
with 1 <k < q-2, 
DD r =0. 


xEFq 











Moreover, when k = 0, we have Yrer, z? =q = 0. 





Proposition |1| can be generalized to the multivariate case, i.e. to functions 
from Fe to F,, which can be expressed as polynomials in the ring 


False cal ll — z1,..., 2} — Tk). 


Corollary 1. For any F : Fi, > Fy with deg(F) < k(q — 1) and any affine 
subspace V C F$ of dimension at least k, 


X F(æ)=0. 


sEV 


Proof. Let V be an affine space of dimension « > k and A an affine permutation 
over F° such that A(V) = {(y,0,...,0) | y € Fe}. Then, 


SJ F(z) = So (FoAt)(A@)) = XO (Fo Ae!) (yy. -5 4x5 0,--- 50). 


TEV xEV Yi... Ur CF q 


Since deg(F o A~*) = deg F < k(q — 1), (F o A7?) consists of monomials of the 
form y} yy y with at least one exponent i; < q — 1. Then, ee, y = 0, 
implying that 

D yty? ee =0, 


Yir- Un CP g 





which leads to X` „ey F(x) = 0. 











cEeV 


Based on this observation, a saturation attack with data complexity q! can 
be mounted whenever the degree of F as a polynomial over Fy is strictly less 
than k(q — 1), even if F, is a field of odd characteristic. 

Now, we generalize the notion of integral distinguishers to multiplicative 
subgroups using the following property. 


Proposition 2. Let G be a multiplicative subgroup of Ff. For any F : Fy > Fy 
such that deg(F) < |G], 


X F(a) — F(0)-|G| =0. 


xeG 


This is a strict generalization of Proposition [1] for which |G| = q — 1. 


Proof. The result is a direct consequence of the following well-known property: 
for any exponent k with 1 < k < |G| —1, 


rad: 


xEG 





Moreover, when k = 0, we have J reg x? = |G]. 











We also note that Corollary[I]can be straightforwardly adapted to multiplica- 
tive subgroups. The power of summing over multiplicative subgroups (rather 
than over the entire field F,) comes from the fact that if F} contains small mul- 
tiplicative subgroups (as for the fields used for the concrete instances specified 
in Table B), the complexity of the attacks may be fine-tuned and significantly 
reduced. In the next sections, such attacks will be applied to both GMIMC and 
HADESMIMC. 


4 Integral distinguishers on the full GMIMC 


4.1 Integral distinguisher on GMIMC 


Using Corollary[1| we can exhibit a distinguisher for (3t—4+ |logs(q—2) |) rounds 
of GMIMC. A remarkable property is that this distinguisher holds for any finite 
field. It is obtained by saturating a single branch of the Feistel network and 
consequently has data complexity q. Indeed, we choose a set of inputs where the 
(t — 2) leftmost branches are inactive, while the rightmost branch is determined 
by the value of Branch (t — 1). More precisely, we consider a set of inputs of the 
form 


XH = {(a1,...,Q+-2,2, f(x)) | £ E€ Fy} (1) 


where the a; are arbitrary constants in F, and f is defined by 


t—2 


t—2 
f(x) = -(2@+ 8 + Raa] 2-2) 8 —RC_1 — RC 
i=1 i=1 


and 61,..., 64-2 are constant values derived from aj,...,az4—2 by 
i 3 
By = (a1 + RC1)? and B41 = (ain + dB; + RCi41) f 
j=1 


Let us first consider the first (t — 2) rounds. We observe that, at Round i, 
1 < i < t— 2, the output of the Sbox corresponds to 5; and is added to all 
branches except the leftmost branch of the input. It follows that the output of 
Round (t — 2) corresponds to 


(a +E Ba f(x) + DL Bis Ni-a N2) 


where (71,.-., %+—2) are constants (see Figure |4). 
Therefore, if x’ denotes the value of Branch 1, i.e., 2’ = x ES Bi, we have 
that Branch 2 corresponds to 


{a t-2 
f ( = ya) +Y Bi = (x + RC)? — 2’ — RC — RG. 
i=1 i=1 
The inputs of Round t are then 
{(—a! — RC, — RCe-1, 1 + (x +RCt_-1)?,.--, Y-2 + (x! + RC_1)°, 2”) | x’ € Fo} 
and the inputs of Round (t + 1) are 
{Ones — (x + RC1)®, =x — RC; — RC) | a’ € Fy} . 


The following (t — 2) rounds do not activate the Sbox, implying that the input 
set at Round (2t — 1) has the form 


{(x’ = (x! + RC;_1)° + ôi, —x! + 02, 63, se , Or) | x! E Fq} (2) 
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œ1 az © f(x) 
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Figure 4: First rounds of the integral distinguisher on GMIMC (with t = 4). 


for some fixed values 6,,...,6, determined by the constants. Each coordinate of 
this input word can then be seen as a q-ary polynomial in x’ of degree at most 
three. It follows that, after r additional rounds, the set is transformed into a 
set of elements (z1,..., zt), whose coordinates have degree at most 371. Prop. [I] 
then implies that all z; are balanced if 3"t! < q— 2, i.e., if r < |log3(q—2)]| —1. 
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Adding (t — 1) rounds. We can add some more rounds by using the following 
relation over (t — 1) rounds of GMIMC. 


Proposition 3. Let (x1,...,2;) and (y1,..., yz) denote the input and output of 
(t — 1) rounds of GMIMC. 


t 


Du t-n =P n- t- 2a. (3) 


i=2 
Proof. Let (x§,..., x£) denote the input of Round £. It can be observed that, for 
any i,j € {1,...,t—1}, 


CS L „£1 £_ „£1 
Ti = Tipi + (£; — j1) and z4 =x . 


It follows that, for any j, 1 < j < (t — 1), 


t 


t 
soe —(t- Le, = 5 af —(t- Dee : 
i=1 


i=l 











By applying this equality (t — 1) times, we deduce (3). 





From the previous proposition, we deduce that after a total of 
R = 3t — 4 + |logs(q — 2)] rounds, 


the output (v1,...,v:) of GMIMC satisfies X`, v; — (t — 2)u1 = St zi — 
(t — 2), which is a polynomial in x of degree at most (q — 2). This leads to a 
distinguisher with complexity q on R rounds, i.e., 70 rounds for the parameters 
we focus on. 


4.2 Zero-sum distinguishers on the full permutation 


Saturating a single branch. Since we are analyzing a permutation (or a 
family of permutations parameterized by the round-constants), there is no secret 
material involved in the computation, implying that a distinguisher can be built 
from some internal states in the middle of the primitive, not only from inputs 
and outputs, exactly as in the known-key setting for block ciphers [28]. This leads 
to zero-sum distinguishers, which were introduced by Aumasson and Meier [10] 
and exhibited for several hash functions, including SHA-3 [9JI9]. 

The previously described distinguisher can be extended by (t — 2 + |log3(q— 
2)|) rounds backwards. This is realized by choosing the internal states after 
(t — 2+ |logs(q—2)]|) rounds in 4’, as defined by (i). The inverse of one round of 
GMIMC is still a round of a Feistel network of the same form and it has degree 
three over F,. Then, the coordinates (yi,..., yz) of the images of the elements in 
X by r backward rounds can be seen as univariate polynomials in x with degree 
at most 3"t1. Exactly as in the forward direction, after (|log3(q—2) | —1) rounds, 
the degree of these polynomials cannot exceed (q — 2). 
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Based on Prop. |3| we can then add (t — 1) rounds backwards. Indeed, the 
input of the first round of the permutation (u1, ..., u+) is related to the output 
of Round (t — 1), i.e. (y1,...,%), by 


Sy (t — 2)y1 = Su- (t — 2)u: , 


1=2 


and the left-hand term of this equation is a polynomial in x of degree at most (q— 
2), implying that ey u; — (t — 2)uz) sum to zero. 

Similarly, we can apply the previously described distinguisher in the forward 
direction, and deduce that the outputs (v1, ..., v+) of the permutation after (3t— 
4 + |logs(q — 2)|) additional rounds are such that eae vi — (t — 2)v1) sum to 


zero. This leads to a distinguisher with complexity q for a total of 
— 6 + 2|logs(q — 2)| rounds, 
which is higher than the number of rounds proposed in all StarkWare challenges, 


except in the case where q exceeds the claimed security level (see Table [3]. 


Saturating two branches. When t > 4, it is possible to exhibit a similar 
distinguisher on more rounds with complexity q? by saturating two branches. In 
this case, we start from Round m in the middle with a set of internal states 


V = {(ay,..-, 04-4, 2, f(x), gly) y) | x,y € Fa} 


where 
t-4 3 t—4 
f(x) = — (z + `y Bi + RCmit—a) —zx—2 5 Bi — RCm4i—a — RCm+t-3 
i=l i=l 


g(y) = (y + RCm-1)” —Yy— RCm—1 — RCm-2 


and B1,...,/4-4 are defined as before by replacing RC; by RC+:-1. 


Computing forwards. As depicted on Figure [5|the corresponding set at the input 
of Round (m + t — 4) is then of the form 


{(2', = ("+ RC ee) eRe RO ny), +++ %-2(y)) | 25y € Fo} 


where (1,...,7%-2) are some values which depend on y only. After two more 
rounds, we then get some internal states whose (t — 2) leftmost branches do not 
depend on +’. It follows that each coordinate of the input of Round (m+ 2t — 4) 
is a polynomial in +’ and y of degree at most three in x’. After (|log;(q—2) | —1) 
rounds, we get that each coordinate is a polynomial of degree at most (q — 2) 
in +’. Then, with the same technique as before, we can add (t — 1) rounds and 
show that the output of the permutation (v1,...,v,) is such that the linear 
combination bre: vi — (t — 2)v+) sums to zero after (3t — 6 + [log:(q — 2)]) 
rounds. 
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Figure 5: Middle rounds of the zero-sum distinguisher on GMIMC (with t = 5). 


Computing backwards. Starting from Round m and computing backwards, we 


get that the input of Round (m — 1) is of the form 


(y, a —(y+RCm1)%, gi 
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> L— (y+RCm-1)} f(x)—(y+RCm1)”, —y—RCp1—RCm_2) 


Round m 


and the input of Round (m — 2) equals 
(—y = RCm-—1 BE RCm-2, Y + (y F RCm-1)”, Ql,- -3 T, f(2)) i 


Then, the following (t — 2) rounds do not activate the Sbox, implying that all 
the coordinates of the input of Round (m — t) are polynomials in z and y of 
degree at most three in y. We deduce that the input (u1, ..., u+) of Round (m — 
2t +2 — |logs(q — 2) |) is such that the linear combination (Yi uj — (t — 2)uz) 
sums to zero. This zero-sum distinguisher then covers a total of 


5t — 8 + 2|logs(q — 2)| rounds, 


which is detailed in Table [3] for the relevant parameters. 











Security Parameters Number of rounds 
logaq t Full ZS with complexity q ZS with complexity q? 
61 12 101 118 128 
125 4 166 166 — 
128 bits 125 12 182 198 - 
256 3 326 = = 
256 11 342 = = 
: 125 8 174 182 188 
eae 125 14 186 206 218 


Table 3: Number of rounds of GMIMC covered by the zero-sum distinguishers 
of complexity q and q’. 


4.3 Exploiting integral distinguishers over multiplicative subgroups 


A noticeable shortcoming of the integral attacks over F,, as demonstrated by 
Table |3} is that they do not give any result for primitives over large fields F, 
(for which log, q ~ 256). However, by exploiting integral distinguishers over 
multiplicative subgroups of F, (e.g., for the specific choice of q = 27°? +2199 +1), 
we obtain essentially the same results for GMIMC instances with large q as we 
obtain for instances with small q. For example, in Section we derived an 
integral distinguisher on 


R = 3t — 4 + |logs(q — 2)| rounds, 


with complexity q. By exploiting any multiplicative subgroup of size |G| = 2° 
for s < 199 when q = 22% + 21% + 1, we obtain an integral distinguisher on 


R = 3t — 4 + |logs(|G| — 1)| rounds, 
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with complexity |G| + 1. 

Moreover, even for smaller fields, we can fine-tune the size of G to reduce the 
complexity of the attack. This is relevant especially for cases where an attack 
with complexity q can reach more rounds than the ones used by the primitive 
(which is indeed the case, as shown in Table B). For example, as derived in 
Section we have a zero-sum property for 


4t — 6 + 2| log; (q — 2) | rounds, 


with complexity q. For the GMIMC variant with q = 261 + 20 x 2%? + 1 and 
t = 12, we use a subgroup of size 233 - 167-211 ~ 248 (which divides q — 1), and 
obtain a zero-sum property for 


At — 6 + 2|log,(2*8 — 1)| = 102 rounds, 


with complexity of about 248 (which covers the full permutation). 


5 Differential attacks on round-reduced GMIMC 


5.1 Impossible differential attacks 


We present a new impossible differential for (3t — 4) rounds, which improves the 
previous one for (2t — 2) rounds presented by the designers [4] Page 46]. 

The previous impossible differential exploits the following probability one 
propagation for (t — 1) rounds: (0,...,0,a) — (a,0,...,0) where a is a non- 
zero difference. Hence, (0,...,0,a) never propagates to (3,0,...,0) after 2t — 2 
rounds for any 5. The designers concluded that conservatively 2t rounds are 


secure when the security level corresponds to the block size n. 
3t—4 


We show that (0,...,0,a1) a (B1,0,...,0) is an impossible propagation, 
where qj, 3; are non-zero differences satisfying a, Æ B1. That is, we include t— 2 
more rounds in the middle compared to the property presented by the designers. 

The intuition for why the above differential is impossible is as follows. When 
(0,...,0,a1) is propagated, the output difference of the cube mapping is 0 for 
the first t— 1 rounds and is unpredictable for the next t/2— 1 rounds. We denote 
them by a2,a3,...,Q4/2- Similarly, we extend (0,...,0, 61) by t/2 — 1 rounds 
backwards, using the notation 62, 03,..., 8/2. Here, to be a valid propagation, 
those differences must be equal in all the branches, which yields a system of 
t linear equations with 2(4/2 — 1) = t — 2 variables. By solving the system, 
we obtain that a, = f1 is a necessary condition to obtain a valid differential 
propagation. In other words, for any a 1,6, with a, Æ B1, the propagation is 
impossible. A detailed analysis of this property is provided in Appendix [A] 


5.2 A differential distinguisher 


The original paper [4| Appendix D] analyzes the resistance of GMIMC against 
differential attacks. Most notably, the designers exhibit a differential character- 
istic over (t+ 1) rounds with two active Sboxes, with probability 2~@"+?) where 
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n = log, q and they conjecture that the corresponding differential is optimal. 
They deduce that 
tn 


n—1) 





R=2+(t+1)| | rounds 

2( 

are sufficient to resist differential cryptanalysis in the sense that the data com- 
plexity of the attack exceeds the size of the full codebook. For instance, when 
t = 12 and n = 61, this corresponds to 93 rounds out of 101. 


A better differential. We exhibit another differential, over t rounds, which leads 
to a much more efficient attack. Let a and a’ be two differences in F,. Then, the 


difference (0,...,0,a,a’) propagates through ¢ rounds of the permutation as 
n RO? , 
(0,...,0,a, œ) —> (a,a’,0...,0) 
R 
SE (a! +8, hy oes Bs) 


Z, (8+8... B+B a+ p,a +8), 


where a -3 8 denotes the Sbox transition occurring at Round (t—1) and «+8 3 
B’ the Sbox transition occurring at Round t. 

It follows that, for any possible value of B, we obtain the following t-round 
differential as soon as 6’ = —G, which occurs with probability 27” on average: 


(ORNs a 25 (0,...,0,a—B,a +8). 


Since this probability does not depend on the choice of a and a’, this differential 
can be iterated several times to cover more rounds. 

For instance, when t = 12 and n = 61, the 101 rounds of GMIMC can be 
decomposed into 8 blocks of t = 12 rounds, followed by 5 rounds. We then get a 
differential of the form 


(0, ors -,0,a, a”) =? (0, 0,0, 0,0, 7,7’, 0, 0, 0, 0, 0) 
over the full cipher for some unknown 7,7" with probability at least 
P= jo 45 ae 97488 


since the characteristic over the last 5 rounds has probability one. This leads to a 
differential distinguisher over the full permutation with complexity P7! = 2488 
which is much lower than the size of the full codebook (2782). 

It is worth noticing that P is a lower bound on the probability of the 101- 
round differential since we considered pairs following some specific characteristics 
by fixing the forms of some differences at intermediate rounds. Some additional 
input pairs may lead to an output difference of the same form but not to these 
specific intermediate differences. 
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Improving the complexity of the distinguisher with structures. The data complex- 
ity of the previous distinguisher can be improved by using structures of inputs. 


Here, a structure is a set of 2?” inputs of the form Se = {(c1,...,C-2,7,y) | £, Y € 
Fp}. The difference between any two elements in the same structure has the form 
(0,...,0,a,a’). It follows that, from any structure, we can construct 24”! pairs 


of inputs whose difference conforms with the differential. Then, the number of 
structures required to obtain P~! = 28” pairs with an appropriate difference is 


8n—4n4+1 _ 54n+1 
2 = ginti 


leading to an overall data complexity of 26"+! = 2367, The time complexity is 
equal to the data complexity here since the distinguisher consists in identifying 
the output pairs which coincide on all output words except the two in the middle. 
This does not require computing all pairs of elements in each structure, but only 


to store the values m(x), x € Se according to their first coordinates. 


This differential distinguisher does not lead to an attack with complexity 
below the target security level. However, this must be considered as an unsuitable 
property since its complexity is much lower than what we expect for a randomly 
chosen permutation on a set of size 2752. 


It is worth noticing that, if we restrict ourselves to distinguishers with com- 
plexity below the target security level of 128 bits, then we can use at most 
2128 /22n — 26 structures. Therefore, we can derive from these structures 2674771 
i.e. 2749 pairs of inputs conforming with the differential. These pairs be can 
used to distinguish 4 blocks of t rounds since the differential has probability 
at least 2724, Moreover, a valid pair propagates to a differential of the form 
(y, 7’, 0,0,0,0,0,0,0,0,0,0) with probability one over (t — 2) rounds, and we 
can extend it by a few more rounds by considering the number of state words 
that have the same difference. After another 6 rounds, the pair has a differential 
of the form 


(A, A, A, A, A, A, *, *, *, *, *, *), 


with probability one, where * is an unknown difference that we do not care about. 
This differential form has a constraint of the size 5n: the left-most six state words 
have an identical difference. The number of queries to satisfy the same property 
for a randomly chosen permutation is lower bounded by 25/2 & 21525, This 
implies that we can distinguish 4t + (t — 2) + (t — 6) = 64 rounds of GMIMC 
from a randomly chosen permutation with complexity less than 21°. 


Improved distinguisher using three active words. If we consider a differential with 
only two active words, the biggest structure we can build is of size 2?”, which 
limits the advantage of using structures in reducing the cost of the distinguishers. 
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Let us now consider the following differential: 
(0,...,0,a,a’, a”) 
a, a’,a”,0...,0) 
a’ + Ba" + B,B,...,8,a) 
a" +84+8',8+8',8+8,...,8+8',a+ f',c’) 
T, (B+ 6'+8",...,8+8'+B"0+ 6 +p", a +6 +6",0" +648), 


RET 
> 


R 
> 
R 





( 
( 
( 
( 





where a > B, a’ +B = B' and a” +64," 2 8” denote the Sbox transitions 
occurring at Round (t — 2), at Round (t — 1) and at Round t. 

As with the previous differential, if 8 + 6’ + 8” = 0, which occurs with 
probability 27” on average, we have: 


(0,...,0,0,0,a”) Z5 (0,...,0,a—B,a’ + 8 +8", a” — B"). 


Again, the probability of this transition is independent of the values of a, a’ and 
a”, so it can be iterated with probability 27”. 

For this differential, we can build structures of size 23”. This will allow us to 
consider around 2°” pairs with the required input differential, so we can expect 
to be able to iterate the characteristic for 6t rounds. The total distinguisher will 
cover 6t + (t — 3) rounds. As for the previous one, we can add 4 more rounds, 
generating an output state with 8 words having the same difference with a cost 
of 23”, compared to a cost of 27”/2 for a random permutation. For GMIMC with 
t = 12, this allows to distinguish 85 rounds with a cost of 23”. By repeating this 
procedure 2” times, we can expect t more round to be covered, and distinguish 
the whole permutation with 101 rounds with a complexity of 2°" = 2°79 and 
having 9 words with a zero difference (as we do not need to add the final four 
rounds). 

Let us point out that using four instead of three words would not improve 
the number of rounds attacked on GMIMC-128-d, as the cost of one structure 
is already the same as the cost of obtaining the 8 non-zero differences in the 
output for a random permutation. Nevertheless, in the case of the GMIMC 
variant 256-b with t = 14, if we use a similar differential with four active words, 
we can distinguish up to 8t + (t — 4) = 122 rounds while finding 10 words with 
no difference and with a complexity of about 24” = 2500, 

To determine whether further improvements of these differentials are possi- 
ble, we have searched for other differential characteristics with a Mixed-Integer 
Linear Programming (MILP) model. We conclude that the previously described 
characteristics are essentially optimal for the defined search space, and refer 
Appendix |B] for details. 


5.3 Algebraically controlled differential attacks 


In this section, we show how to use algebraic techniques to efficiently find inputs 
that satisfy a given differential characteristic. The basic idea is to represent the 
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initial state of the permutation symbolically by assigning variables to some of 
its branches, while the remaining branches are assigned constant values. We 
then compute the permutation symbolically for several rounds. Namely, for each 
round, we derive a polynomial expression for each branch of the internal state 
in terms of the allocated variables. 

We repeat this process starting from two initial states (representing two in- 
puts to the permutation), perhaps assigning them different variables. We can 
now represent the difference between the internal states at each round in these 
two computations using polynomial expressions in the allocated variables. In par- 
ticular, each differential transition of the given differential characteristic (whose 
probability is smaller than one) is expressed as a polynomial equation in the 
variables. Collecting the equations for all differential transitions, we obtain a 
system of polynomial equations, whose solution immediately gives two inputs 
to the permutation that satisfy the differential characteristic. For this approach 
to be useful, the equation system has to be efficiently solvable, which generally 
implies that we cannot allocate too many variables and need to minimize the 
algebraic degree of the polynomial equations. 

Next, we discuss the complexity of solving equation systems of a specific 
form that we encounter in the remainder of this section. We then demonstrate 
the basic attack approach with an example and continue with more involved 
attacks. 


Solving polynomial equation systems with few variables. Some of our attacks 
in the remainder of this section reduce to solving equation systems over F,. 
When possible, we solved the systems in practice using the MAGMA software. 
However, it is also important to understand the complexity of our attacks on 
stronger variants of the cryptosystem, where they become impractical. In this 
section, we will only consider systems with one or two variables and estimate 
the complexity of solving such systems below. We note that in Section [6.2] we 
encounter equation systems with more variables. Solving such equations is more 
involved and we will have to use a different estimation, which is heuristic (but 
standard). 

Solving a univariate polynomial equation over F, of degree d is done by factor- 
ing the polynomial. Asymptotically, the best known algorithm for this problem 
was published in [27] and has complexity of about d!°+°™) bits operations. We 
note, however, that the o(1) expression in the exponent hides a non-negligible 
term. Solving two bivariate polynomial equations P; (x,y) = 0 and P2(x, y) = 0 
of total degrees d1 and d2 (respectively) can be done by computing the resultant)| 
of the two polynomials, which is a univariate polynomial in x of degree dı - do. 
We then compute the roots of the resultant (by factoring it) and for each such 
root Z, we compute the common roots of P\(Z,y) and P2(Z%,y) (using a GCD 
algorithm). In general, the heaviest step in this process is factoring the resultant. 


° The resultant of two polynomials is itself a polynomial in their coefficients, whose 
zeroes coincide with the common roots of the two polynomials. 
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Satisfying 3t — 2 rounds. We show how to efficiently satisfy 3t — 2 rounds of the 
iterative differential characteristic of Section [5] 


RTZ 
(0,...,0, 40, Ho) —+ (Ho, Ho:0..-.,0) 





= (Lo T Hi, Hil,- , H1, Ho) 
R 
— (ma + Hi... H1 + Hi, Ho + Hi, Ho + la), 


where we require that u + y} = 0. 
Consider an initial state of the permutation of the form 
Xo = (a, +++, 4-2, T, f(x)), 


where the à; are constants in F4, x is a variable and the function f(x) is described 
in Section |4 (see (1)). Then, as described in Section |4| the internal state at 
Round (t — 2) is described as 


Kia = (@ + Dnt Bis f(x) + Di Bis Ny nah 
while the state at Round (2t — 2) is described as 
Xoo = (2! — (2 + RCy_-1)° + 61, —2 + 61, 52,..., 64), 


where à = x + 1. Bi. Starting from Round (2t — 2), the algebraic degree of 
the branches generally grows by a multiplicative factor of 3 per round, namely, 
the algebraic degree of Round (2t — 2+ r) is at most 37+. 

Next, consider another initial state of the permutation of the form 


Yo = (a1, .- ., 04-959, 7 (@)), 


where the initial constants a; are identical to those of Xo. Note that the initial 
difference between the states is of the form 


Ao = Xo a Yo = (0, raeg 0, Holz, y), Holz, y)). 
Then, the state Y2:_2 after Round (2t — 2) is described as 
Yos-2 = (y! = (y' T RC,.4)° F ôi, —y' F 02, 03, rax , Or): 


Therefore, the choice of the initial states of the two inputs, assures that (2t — 2) 
rounds of the differential characteristic are satisfied with probability one. At 
round 2t, we have 


Ast = Xa — Yor = 
(uo(x, y) +5 (@,y), +++, Mo(@, y) + uo (x, y), p(x, y) + Mg (x, y), wh (£, y)+u2(z,y)), 


and we require u2(x, y) + (x, y) = 0, which is a polynomial equation of degree 
3271 = 27 in the variables x, y. Since we have 2 variables and only one equation 
in F,, we can set one of the variables to an arbitrary constant and solve a 
univariate polynomial equation in the other variable. We expect one solution on 
average, which gives an input pair that satisfies the differential characteristic for 
2t rounds. Since the next (t — 2) rounds are satisfied with probability one, we 
can satisfy 3t — 2 rounds at the cost of solving a univariate polynomial equation 
over F, of degree 27 (which has very low complexity). 
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Satisfying 4t — 2 rounds in an inside-out setting. In an inside-out setting, the 
differential characteristic can be extended from (3t— 2) rounds to (4t—2) rounds 
algebraically, by adding t rounds before the initial state. Indeed, since the initial 
state is described by polynomials of degree 3, the state at round (—2) can be 
described by polynomials of degree 27: 


A 2 =X 2 -Y 2 — (u 1(£,y) + p4(z,y),---, 
dif, y) + wy (x,y), Aa (a, y) + wa (a, y), à (x,y) + u- (z, y)). 





Thus, we require p-1(#, y) +(x, y) = 0 in addition to po(x, y) + u(x, y) = 0. 
This defines a system of two equations of degree 27 in two variables. Any solution 
with x Æ y defines a pair of states that satisfies a differential characteristic from 
round (—t) to round (3t — 2), because rounds (—t) to (—2) are satisfied with 
probability 1. 

To solve the system, we first divide each equation by (y — x) to eliminate 
trivial solutions with x = y. Then we compute a Grôbner basis of the resulting 
system. Using the MAGMA software, this can be done in less than one minute 
on a standard PC (solving the system also has very low complexity by our 
theoretical estimate). Moreover, this can be extended to a distinguisher on 66 
rounds by considering a truncated difference in the input and output. We give 
an example in Figure [6] 





load(?GMiMC_erf.sage’) # https://starkware.co/hash-challenge/ 
$128d_40 = GMiMCParams(field=F61, r=8, c=4, num_rounds=66) 


x = vector(F61, [ 
2136504846259473744, 1283314153929910666, 1750372136437271205, 
1867169825994287512, 821961362109051955, 1707450857617152361, 
552784820823413051, 484096115705447781, 887825053625051502, 
527122293700370254, 925898050459212322, 1348485354687005037] ) 
y = vector(F61, [ 
605957700298844821, 2195497570512456035, 1242887650166759306, 
1453303426557585887, 2164561375454964764, 333859287618218787, 
1549736142184771152, 1358466196860349803, 121930483920884288, 
647 266587342612993, 425900737534652142, 848488041762444857] ) 


print ("Input diff : "+" ".join(["{:20}".format(u.lift()) for u in y-x])) 
x = erf_feistel_permutation(x, S128d_40) 
y = erf_feistel_permutation(y, S128d_40) 
print ("Output diff: "+" ".join(["{:20}".format(u.lift()) for u in y-x])) 











Figure 6: Sagemath code verifying a pair of inputs with a distinguishing property 
on 66 rounds of GMIMC-128-d: Ao[10] = Ao{11] and Ags [0] = Ags [1] 
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Satisfying 4t — 4 rounds. If we want to use the differential in a collision attack, 
we must preserve the value of some initial state words, and we cannot use the 
inside-out technique. We describe an alternative technique, using a modified 
differential with four active state words: 








(0,...,0, Ho, Ho, Ho» Ho ) 
RS 1 n m 
= (Ho; Ho, Hos Ho 0 -.., 0) 
R 
> (Ho + Ha, Ho + H1, HO + Hi, His- +, H1, Ho) 
R 
—+ (ug + Hi + i Ho + Hi + Hh Hit Hi- Hi + Hi Ho + Hi Ho + Ha) 
R 
— (ug! + pa + Hi + H1, ba + Hi td Ha + Hi + Hi, Mo + Hi + HT, 








Ho + Ha + H1, Ho + pr + Hi) 
R 
> (pa... H1, Ho + Hi — Hi, Ho + Hi — Hi, Ho + Hi — HY, Ho + Mi — HT) 


I 


with p1 = pı + pi HUI + py’. 
As in Section we require that 1 = 0. This happens with probability 
t 


27”, and results in an iterative truncated characteristic (0,...,0,*,*, x, *) = 
(0,...,0,%, *, *, *). 

As in the previous attack, we build an initial state with special relations to 
control the first t rounds with probability one: 


Xo = (a, cs At—4, 2, f(z); y, f(y). 
This ensures that the state at Round (2t — 4) is of the form: 
Kara = (a (2 +RCs_1)° +61, —2/ +02, y/—(y/ +RC: 1) +03, —y' +54, 65, ..., Oe). 


Instead of considering two different states with this shape (with four unknown 
in total), we will consider one variable state and one fixed state with (x,y) = 
(0,0). When we consider the state at Round (2t), we have 


A+ = Xot = X2(0,0) = 
(M2, ++, M2, H1 + H2 — H2, My + H2 — Ho, Hi + Ha — H3, H 


4 a = 1) 
Where (u1, u4, HY, HY’) are polynomials of degree 3, 1, 3, and 1 respectively (as 


Ut 


seen in X2-4), and (u2, U5, H3, ws’) are polynomials of degree 9, 27, 81, and 243, 
with u2 = u2 + uh + u3 + 4’. All polynomials have variables x and x”, and 
X2(0,0) is a vector of constants. We now require w2(x,x') = 0, and we can 


simplify the state using this assumption: 





Xo, = X24(0,0) + (0,...,0, 41 — H2, My — Mo, H1 — Ho, Hi + H2 + Ho + Ho). 


We obtain an expression of degree (0,...,0,9,27,81,81). 
When we focus on Round (3t), we can now express the condition of the 
differential as à polynomial of degree 729. Therefore, we have a system of two 
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equations of degree 243 and 729 in two variables. To estimate the complexity of 
solving the system, recall that we factor the resultant of these polynomials in 
time d!-5+°() bit operations. In our case, d = 243 - 729 = 177, 147. 

Any solution with (x,y) 4 (0,0) defines a state such that (X(x, y), X (0, 0)) 
satisfies the differential characteristic up to round (4t — 4), because rounds (4t) 
to (4t — 4) are satisfied with probability one. 


Extending the differentials. All these attacks can be extended probabilistically 
by finding about q different input pairs that satisfy the differential characteristic 
(each pair is found by choosing different constants a; in the initial state). With 
high probability, one of these input pairs will also satisfy the next differential 
transitions, and follow the characteristic for t more rounds. 


5.4 Reduced-round collision attacks 


We can build collisions on a reduced number of rounds by using the same ideas as 
for the previous structural or algebraic differential distinguishers. The additional 
constraint that we have now compared to distinguishers is that any values that 
need to be chosen must be assigned to the rate part, i.e. the 8 left-most words in 
GMIMC-128-d, and the capacity part, i.e. the 4 right-most words in GMIMC- 
128-d, will be fixed to a known value we cannot choose. 


Building collisions with structures. We won’t use the 3-word differential but 
the 2-word one, as using the full 2n structure from the 2-word one already 
implies a complexity equivalent to that of a generic collision attack. Instead of 
having t = 12 free rounds at the beginning, we will have only 8, due to the 4 
words reserved for the capacity. With a cost of 2”” we can then go through rt 
rounds maintaining the same differential. Finally, we can freely add (t—2) rounds 
that preserve the differences in the rate part and, consequently, can finally be 
cancelled: 


t—6 TE 
(0,...,0,a,a’,0,0,0,0) ~+ (a, a/,0...,0) © (B,8',0...,0), 


This differential has a probability of 2~"', and would allow to build collisions 
up to 3t — 6 rounds, so for 30 rounds for GMIMC-128-d. If we use structures 
we can improve this: if we build a structure of size 2”, with the cost of the 
structure we can verify a probability up to 27°”. If we choose structures of size 
23/2 we can consider r = 3. This would provide collisions for 4t — 6 rounds. 
For GMiMC-128-d this implies collisions on 42 rounds with a cost of 297, and 
for GMIMC-256 it implies collisions on 50 rounds with a complexity of 2187. 


Building collisions with algebraically controlled techniques. To use the alge- 
braically controlled techniques in a collision attack, we must not use any differ- 
ence in the inner part of the sponge. As noted, in the case of GMIMC-128-d, 
we have c = 4, therefore, we start from a state 


Xo = Cope i304, £, f (£), y, f(y), à: .,@12) 
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and we have a characteristic over 4t — 4 — c = 40 rounds. In MAGMA, this takes 
a few minutes using less than 3GB of RAM. We give an example of a conforming 
pair in Figure[7] where all the a constants have been set to zero. This attack can 
be extended to t more rounds probabilistically, with (asymptotic) complexity of 
q-d'>+o) bit operations. In our case, d = 177, 147 and we obtain an estimate 
of about 2°° if we ignore the o(1) term. 





load(’?GMiMC_erf.sage’) # https://starkware.co/hash-challenge/ 
$128d_40 = GMiMCParams(field=F61, r=8, c=4, num_rounds=40) 


x = vector(F61, [0, 0, 0, 0, 0, 1265014881285225376, 
0, 1323963633845726391, 0, 0, 0, 0]) 
y = vector(F61, [0, 0, 0, 0, 1687869230625042828, 1678073603247747657, 


1246244071391540901, 1919915214622971772, 0, 0, 0, 0]) 


print ("Input diff : "+" ".join(["{:20}".format(u.lift()) for u in y-x])) 
x = erf_feistel_permutation(x, S128d_40) 
y = erf_feistel_permutation(y, S128d_40) 
print ("Output diff: "+" ".join(["{:20}".format(u.lift()) for u in y-x])) 











Figure 7: Sagemath code verifying a pair of inputs following the characteristic 
for a 40-rounds collision attack of GMIMC-128-d. 


6 Attacks on HADESMIMC 


This section describes two types of attacks against HADESMIMC, which both 
exploit the propagation of affine subspaces over the partial rounds. The first 
one is an integral distinguisher covering all rounds except the first two rounds 
for most sets of parameters. The second one is a preimage attack on the full 
function which applies when the MDS matrix defining the linear layer has, up to 
multiplication by a scalar, a low multiplicative order. It is worth noticing that, 
while the designers of HADESMIMC do not mention any requirements on this 
MDS matrix, they provide several suggestions. For STARKAD and POSEIDON, 
Cauchy matrices are used [24]. In Appendix [Cc], we identify weak instances 
from this class of matrices. Alternatively, the HADESMIMC authors propose 
Appendix B] the use of a matrix of the form A x B! where both A and B 
are Vandermonde matrices with generating elements a; and b;. In this case, if 
a; = bi +r for some r € Fy, then the resulting MDS matrix will be an involution 
for F, of characteristic two [33]. Similarly, in characteristic p 4 2, one obtains 
an involution whenever a; = —b;. 
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6.1 Integral distinguishers 


In HADESMIMC, the number of rounds has been chosen by the designers in such 
a way that, when each coordinate of the output is expressed as a polynomial in 
t variables over F,, then the degree of this polynomial in each input is close to 
(q — 1), which is the behaviour expected for a randomly chosen permutation. 
Assuming that the degree grows as 3” for r rounds (which is an upper bound), 
[logs (t(q—1))] rounds are enough to get a polynomial of total degree (q—1)t. For 
the concrete parameters, i.e. t = 12 and q = 261 + 20 x 232 + 1 for POSEIDON, 
we get that 41 rounds (out of 48 in total) are necessary to achieve maximal 
degree. For STARKAD with t = 12 and q = 2%, 43 rounds (out of 51 in total) 
are necessary. 


An integral property. Our idea to improve upon the trivial bound above by a few 
partial rounds is to choose a specific subspace of inputs. Indeed, we are going to 
construct a one-dimensional subspace V such that t — 1 partial rounds will map 
any coset V + vo onto a coset of another one-dimensional subspace W. Adding 
at most |log3;(q — 2)| rounds (either full or partial), ensures that the conditions 
of Corollary [I] are satisfied and thus the outputs sum to zero. 


Rit deg<q—1 
V +v + W +w + 





zero sum. 


Let us denote by V a linear subspace of internal states after the Sbox layer 
of the last of the first Ry /2 full rounds (see Figure f8). Then, this subspace leads 
to an affine subspace at the input of the first partial round, which is a coset of 
L(V). The following lemma guarantees the existence of a nontrivial vector space 
L(V) such that any coset of L(V) is mapped to a coset of W = L'(V) after t— 1 
partial rounds. 


Lemma 1. Let F: F$ > F$ denote a permutation obtained from r > 1 partial 
HADESMIMC rounds instantiated with linear layer L. If L has multiplicative 
order h up to multiplication by a scaler, then there exists a vector space V with 
dim V > t — min{h,r} such that F(x +V) C F(x) + L'(V) for all x € Fi. 


Proof. Let V = (ôt, LT (5:),---,(Z7)"~1(6,))+ where 6; = (0,...,0,1). Clearly, 
dim V satisfies the desired lower bound. It suffices to show that for all x € F$ and 
v € V, F(x+v) = F(x)+ L" (v). Let F = R,o---o R1. Since the last coordinate 
of any v in V is zero, i.e. v L 6;, the image of x + V by the partial Sbox layer 
is a coset of V. It follows that R1(x + v) = R1(x) + L(v). Similarly, for Round 
i = 2,...,r, it holds that R;(x; + Li+ (v)) = R;(xi) + Li (v) if Lit (v) L & or 
equivalently v L (L')'~1(6;). 














Let us consider any coordinate y of the output of the permutation after 
adding r additional (partial or full) rounds. When zo varies in V, these output 
words correspond to the images by the additional rounds of the elements z; in a 
coset of W = Lt (V), which we denote by y+W (see Figure|g). As the polynomial 
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corresponding to the r additional rounds has degree at most 3”, it then follows 
using Corollary [I] that 


Se) =. S| ae] >} P@)=0, 


zoEV zıEy+W zEF; 


as long as r is at most |log;(q — 2)|. 

Thus, in total this covers (t — 1) + |log3(q — 2)| rounds, starting after the 
first full rounds. For most sets of concrete parameters, this actually exceeds the 
recommended number of rounds in the forward direction for both POSEIDON 
and STARKAD. Furthermore, Lemma |1| implies that if the linear layer L has 
multiplicative order less than t — 1, then the distinguisher covers an arbitrary 
number of partial rounds. 









































































































































































































































































































































































































































































































































U v W+ 
5 S S 5 S S 
5 s S 5 S S 
5 s S 5 s S 
SIL S ||| L L L S||L S||L S| |L S| /L 
5 s S 5 S S 
5 s S 5 S S 
5 S S S S 5 s S 
i 4 E a Tt T partial rounds A as Jog3(q-— 2) full- or partial-rounds p 





Figure 8: Zero-sum distinguisher against POSEIDON and STARKAD covering (2 + 
4) full rounds and all partial rounds. 


Zero-sum distinguishers over F,. By extending the above-mentioned approach 
in the backwards direction, we can construct a zero-sum distinguisher with 
a (slightly) extended number of rounds as depicted on Figure |8| The prob- 
lem is that contrary to the case of GMIMC, the inverse round function in 
HADESMIMC is very different from the round function itself, and it has a much 
higher degree. Indeed, the inverse of the cube mapping over Fy is the power 
function x + «4-0/3, By using classical bounds on the degree, we cannot 
guarantee a degree lower than (q — 2) for more than a single round backwards. 

However, V being one dimensional allows to overcome one additional layer of 
Sboxes, and thus one additional round. Namely, as V is a one-dimensional space 
there exists a vector v = (v1,...,Uz) € Fy such that 


V = {(£ v1, £ 02,..., £V) | £ E Fg}. 


The image of V under the inverse of the full Sbox layer consists of all the 
vectors in F$ of the form 


((x01)'/3,..., (wu)1/3) = 7/8 (vi/?,..., 04/9). 
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As a consequence, this image is again a one-dimensional vector space having the 
same form, namely U = {a’ (w1,...,uz) | x! € Fg} where u; = vi” for all 0 < 
i < t. It is worth noticing that this particular structure does not propagate over 
more rounds because of the addition of a round constant. Then, any coordinate 
at the input of the previous round y is the image of an element z = v'u in U b 
an affine layer, followed by the inverse of Sbox, i.e., by x + x1/3 (see Figures}. 
We can then consider this mapping as a function of x’ € F}, and express it as a 
polynomial Q with coefficients in Fy. Since the degree of this polynomial is the 
degree of the inverse Sbox, it does not exceed (q — 2). Using the notion from 
Figure [8] we then have 


zoEV zoEU z'EFs 


For most sets of proposed parameters, this provides a zero-sum distinguisher 
with data complexity q on HADESMIMC for all but the two initial rounds, i.e. 
for 2+4 full rounds (2 at the beginning and 4 at the end), and all partial rounds, 
as detailed in Table [4] Again, for instantiations of HADESMIMC with a linear 
layer of multiplicative order less than t— 1, the distinguisher covers an arbitrary 
number of partial rounds. 








POSEIDON STARKAD 
security || t log, q||proposed|nb of rounds||log, g|proposed|nb of rounds 
level Ry, Rp | of the ZS Ry,Rp | of the ZS 








128 bits|12| 61 | 8,40 | 244,45 | 63 | 8,43 | 244,46 
4| 125 | 8, 81 2+4, 77 || 125| 8,85 | 244,77 
12| 125 | 8,83 | 2+4,85 |125| 8,86 | 2+4,85 
3| 253 | 8,83 | 2+4,157 | 255| 8,85 | 2+4, 158 
12| 253 | 8,85 | 2+4,165 | 255 | 8,88 | 2+4, 166 
256 bits|| 8 | 125 | 8,82 | 2+4,81 || 125] 8,86 | 2+4,81 
14| 125 | 8,83 | 244,87 | 125 | 8,83 | 2+4,87 


Table 4: Number of rounds of HADESMIMC covered by the zero-sum distin- 
guisher of complexity q. 
























































6.2 Finding preimages by linearization of the partial rounds 


This section shows that, when the linear layer in HADESMIMC has a low mul- 
tiplicative order, the propagation of linear subspaces through all partial rounds 
leads to a much more powerful attack. Indeed, we now show that the existence 
of perfect linear approximations over the partial rounds of HADESMIMC, as 
detailed in Lemma [2] can be used to setup a simplified system of equations for 
finding preimages, leading to a full-round preimage attack. 
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Lemma 2. Let F : Fi > F$ denote a permutation obtained from r > 1 par- 
tial HADESMIMC rounds instantiated with linear layer L and round constants 
C1,+--;Cr. Let V C F} be the vector space V = (L(+), L? (ô+), , L"(64))+, where 
oz = (0,...,0,1). Then, for all x € F$ andvEV, 


v- F(x) =v. L" (x) + 5 v- LT), 
i=1 
where u -v denotes the usual scalar product in F$. Furthermore, if L has multi- 
plicative order h, then dim V > t — min{h,r}. 


Proof. Let F, = R, o R,_10---0 Ri, where R; denotes the ith partial round of 
HADESMIMC, namely R;(x) = Lo S(x + ci). We proceed by induction on r. For 
r = 1, we have, for any v and x, 


v: Ry(x) = LT (v) - S(x +) = LT (v) - (x +6) =v- L(x) +v-L(c) 


if the last coordinate of LT (v) is zero, or equivalently LT (v) - 6; = v - L(+) = 0. 
Let us now consider Round r and v € (L(ô+), L?(6),..., £"(5;))+. For any 
y € Fj, we have 
v: Rr(y) = L” (w): S(y + er) = E” (v): (y + cr) 


since LT (v) - 6, = v - L(6+) = 0. Letting y = F,—ı(x), it follows that 
v- F(x) = (v) Fpa (£) +i (w) cr = Lo) L (x Et L(v)-L'(c;)+L(v)-cr 


where the last equality is deduced from the induction hypothesis using that 
LT (v) belongs to (L(G),...,L"-1(6,))+. Finally, it is easy to see that the di- 
mension of V+ can be upper bounded as dim V+ < min{h,r,t}. Hence, dim V > 
t—min{h,r}. 














Suppose that L is such that the vector space V from Lemma [2] is of dimen- 
sion d. It will be shown that, if d is sufficiently large, such an instantiation of 
HADESMIMC is vulnerable to preimage attacks for some choices of the rate and 
capacity parameters of the sponge construction. In particular, when the MDS 
matrix L is an involution, we obtain d = t — 2. 

By Lemma|2| there exists a matrix U; € ne? such that U1 F(a) = U(L'(x)+ 


a) for a known constant a. Indeed, let the rows of U, be a basis for V. Further- 


more, let Uz € FẸ- “Xt be a matrix with row space complementary to the row 


space of U1. For each æ, it holds that 


Ory = Ui(L" (x) + Via Lai) 


Uy = UF (x). (4) 


Consider a HADESMIMC permutation in a sponge construction with rate k and 
capacity c = t—k. Computing preimages of a one-block message (y1,...,yx) € Fé 
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then corresponds to solving the system of equations [F'(a||IV)]; = yi, i = 1,...,k 
in the unknowns 271,...,Z x. 


The idea of the attack is simple: for each guess of U2F (ax) € ne, replace 
the equations for the partial rounds by the affine relations and solve the 
resulting system of equations. In order to ensure that the ideal generated by 
these equations is zero-dimensional, we should have k < d, which always holds 
when L is an involution unless c = 1. Note that we focus on the case where the 
number of output elements is equal to the rate. This is the most challenging 
setting. Indeed, if the output size is smaller than the rate — as in some of the 
StarkWare challenges — then the preimage problem will typically have many 
solutions. This allows the attacker to partially or completely avoid the guessing 
phase. If further degrees of freedom remain after fixing U2F(x) completely, one 
or more input elements may be fixed to an arbitrary value. 


In Appendix [D] we show that the total time cost of the attack can be esti- 
mated as 


2 (2r)-*/2 k2-w/2 eF 3(wk+1)(Rr—1) oe 


where w is the asymptotic exponent of the time complexity of matrix multipli- 
cation and y is such that the cost of computing the row-reduced echelon form of 
an m X n matrix is ymn”. 


For example, for an involutive L, Rp = 8 and an arbitrary number of partial 
rounds, Figure [9a] shows for which choices of q and t an improvement over the 
generic security of the sponge construction is obtained. The insecure instances are 
shaded in grey. Note that this domain corresponds to a conservative estimate for 
the cost of row-echelon reduction, i.e. w = 3 and y = 3/2. The cost itself is shown 
in Figure[9b] We stress that these figures correspond to the most challenging case, 
i.e. assuming that the hash output is of length k and no shorter. 


For the concrete STARKAD and POSEIDON instances specified in Table 
we obtain better-than-generic attacks on some variants assuming that the hash 
output has length c < k. Indeed, provided that c < d/2 = t/2 — 1, a suf- 
ficiently large number of preimages is likely to exist so that it is no longer 
necessary to guess U2F (x). In addition, input variables may be fixed until 
only c + t — d free variables remain. This leads to a computational cost of 
27 (2r)—#/? (c+2)2—-¥/2 evlet?) 3(H(c+2)+)(Rr—1) Note that, for these instances, 
we do not obtain relevant preimage attacks when the output size exceeds t/2— 1. 
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(a) Minimum t such that the cost is better 
than generic for some choice of k. 


(b) Cost for different values of the rate k 
with t = 12 and w = 3. 


Figure 9: Cost analysis of the preimage attack on HADESMIMC with an invo- 
lutive linear layer and Rr = 8. The shaded areas correspond to parameters for 
which the attack improves over the g™™t*:*/2} security level. 








Variant c Computational cost 
we 2.8 w=3 
128-e 1 9114.9 9122.3 
256-b 4 9221.1 9235.7 


Table 5: Overview of the computational cost (measured in F, operations) of the 
preimage attack on different instances of POSEIDON and STARKAD, assuming an 
involutive linear layer. These estimates assume that the hash output has length 
c. For the variants 128-a, 128-b, 128-c, 128-d and 256-a, the attack does not 
improve over the generic security level of the sponge. 


7 Conclusions 


Our analysis of STARK-friendly primitives clearly shows that the concrete in- 
stances of GMIMC and HADESMIMC proposed in the StarkWare challenges 
present several major weaknesses, independently from the choice of the underly- 
ing finite field. At a first glance, the third contender involved in the challenges, 
namely VISION for the binary field and RESCUE for the prime fields [7], seems 
more resistant to the cryptanalytic techniques we have used against the other two 
primitives. This seems rather expected since VISION and RESCUE follow a more 
classical SPN construction with full Sbox layers; for similar parameters, they 
include a larger number of Sboxes which may prevent them from the unsuitable 
behaviours we have exhibited on the other primitives. 
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Another important aspect of our work is the extension of higher-order dif- 
ferential and integral attacks to primitives operating on any finite field, even 
with odd characteristic, while these attacks were previously defined over binary 
fields only. This points out that the notion of symmetric primitives over a prime 
field, which has been introduced very recently, needs to be further analyzed in 
order to get a rigorous assessment on its security. While decades of research have 
produced efficient cryptanalytic tools and security criteria for primitives defined 
over F3, establishing the right tools to analyze primitives over F, for odd q raises 
many new and interesting open questions. 
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A Impossible differential attack on GMIMC 


This section contains the technical details related to the impossible differential 
attack on GMIMC from Section 

Table |6| shows the differential propagation in the middle t — 2 rounds for 
t = 12. It is valid only when the linear system of equations (5) has a nontrivial 
solution. 


Table 6: Middle t — 2 rounds of the new impossible differentials for 3t — 4 rounds 
(t = 12). The first and last 11 rounds are trivial, thus omitted. The notation 
‘ijk denotes a; +a; + ax +. ‘Bijk-- is similarly defined, but because it is 
for the inverse direction, the sign of the term b; is plus for à = 1 and minus for 
other i. For example, (13456 denotes +3; — 83 — Ba — Bs — be- 

r| AS; AS, AS; AS, AS; AS AS; ASg AS ASio ASii ASi2 
11| ay 0 0 0 0 0 0 0 0 0 0 0 











13| &23 a23 G23 G23 Q23 Q23 Q23 Q23 Q23 Q23 Q13 Q2 

14| a234 Q234 Q234 Q234 Q234 Q234 Q234 Q234 Q234 Q134 Q24 Q23 
15| &2345 @2345 2345 2345 12345 02345 O2345 02345 1345 Q245 Q234 234 
16]a23456 023456 0123456 23456 0123456 1123456 23456 (13456 M2456 Q2356 M2346 Q2345 








16| B2345 62346 82356 82456 13456 F23456 223456 223456 823456 823456 323456 23456 
17| B234 235 B245 81345 82345 2345 P2345 2345 (2345 82345 02345 Pasas 
18| B23 Bea 8134 B234 B234 B234 234 B234 B234 8234 B234 ß234 
19} B2 Biz Pos Pas 23 23 23 Bag, 23 Pas Pas Pos 
20| Bi Be b2 Ba b2 Be Ba b2 Ba Ba Bo b2 
21) 0 0 0 0 0 0 0 0 0 0 0 Bi 
































a2 + a3 + a4 + a5 + as = — 2 — b3 — Ba — Bs 

a2 + a3 + a4 + as + as = —B2 — b3 — Ba — Bo 

a2 + a3 + a4 + a5 + as = — Pa — b3 — Bs — Bo 

a2 + a3 + a4 + as + as = — Pa — Ba — Bs — Bo 

a2 + a3 + a4 + 5 + Ag = b1 — b3 — Ba — Bs — Be 

a2 + a3 + a4 + as + as = —B2 — B3 — Ba — Bs — Bo (5) 





a + a3 + a4 + as + as = —B2 — B3 — Ba — Bs — Bo 
a2 + a4 + a5 + as = —B2 — B3 — Ba — Bs — Bo 
a2 + a3 + as + ag = —B2 — b3 — Ba — Bs — Bo 
a2 + a3 + a4 + ag = — b2 — b3 — Ba — Bs — Bo 


ag + a3 + a4 + a5 = —B2 — B3 — Ba — Bs — Be. 




















From the 1st and 2nd equations, we get 55 = (5. Similarly, from the 2nd and 3rd, 
3rd and 4th, and 5th and 6th equations, we get 84 = Bs, 83 = Ba, and 8; = — b2, 
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respectively. From the 4th and 5th equations, we get B1 + 62 — 63 = 0, which 
implies 6; = 0. Similarly, we obtain as = ag, Q4 = Q5, Q3 = Q4, Q1 = Q2, 
Q 1 — Q2 + a3 = 0 by comparing two of the last 6 equations. Finally, by injecting 
those to the fifth equation, we get a, = (1, hence the differential is impossible 
when a, Æ Bi. 


B Optimality of the differential characteristics for 
GMIMC 


To determine whether further improvements are possible compared to the dif- 
ferential characteristics we proposed in Section [5.2] we have searched for other 
differential characteristics with a Mixed-Integer Linear Programming (MILP) 
model. Note that our model only lower-bounds the probability of a fixed differ- 
ential as done for the previously described characteristics and does not take the 
details of the initial structure or truncation of the output difference into account. 

Previously proposed models for differential characteristics usually represent 
either each state word [?] or each bit [?] with a binary decision variable. Neither 
is well-suited for GMIMC over prime fields: with a word-wise model, we cannot 
identify whether two differences are identical and will thus find many invalid 
characteristics; with a bit-wise model, the model would be unpractically large 
due to the large state size and number of rounds. We thus model each state word 
with an integer variable x € [—@, £], and addition modulo q simply as £ + y = z. 
The variable x in this relation does not define the value of the difference (except 
for x = 0), but only captures properties such as equality and additive relations. 
The bound @ limits the number of distinct difference values that can be modelled 
and also defines the helper constant M = 24. 

If x and y are the input and output of an S-box, we only require that x = 
0 = y = 0. One direction x = 0 => y = 0 of this implication can be encoded 
using binary helper variables 7;: 


l-mM<a<-l+mM, 0-mM<y<0+mM, Yom <2. 


Each Sbox is associated with a cost c € {0,1} (x £0 = c=1) as well as a 
gain g € {0,1}, where g = 1 means the output difference y 4 0 is arbitrary and 
thus the transition does not reduce the success probability. We identify these 
cases by requiring that |y| is larger than any possible sum of defined differences 
z, bounded by 2 z (with helper variable g+), including the permutation’s input, 
output, and S-box outputs in the previous r rounds: 


—cM <a<cM, y>2z-(1-g.)M, y > —-22-—(1-9,)M, $, gz > g(2t+r). 
Finally, we require nontriviality, with helper variables 7,,,7/, for each input x: 
l-mM<a<-l4+7)M, > te el. 


The minimization objective is the sum of the cost minus the gain of each Sbox. 
This corresponds to — log, P, where P is the approximate probability of the 
differential with fixed input and output difference. 
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The structured characteristics we describe above yield a cost of k + 1 when 
the number of rounds is between kt — 1 and (k + 1)t — 2. We used the MILP 
model to look at all possible characteristics for up to 3t rounds. The obtained 
bounds match our solutions except for kt — 1 and kt rounds, where a small and 
general modification improves the cost to k instead of k + 1. We conclude that 
the previously described characteristic is essentially optimal with respect to the 
defined search space. 


C Weak Cauchy matrices 


The linear layers of STARKAD and POSEIDON are chosen such that L;,; = 1/(x;+ 
x; +a) where 21,...,2, are distinct elements of F, [24]. The following result 
shows that, for STARKAD instances with t a power of two, there exist weak 
choices of æ1,...,x+ that enable the preimage attack from Section [6.2] 


Theorem 1. Let G = {21,..., 21} be an additive subgroup of Fon of order t and 
let a € Fon\G. For the Cauchy matrix L € Fx‘ defined by Li j = 1/(x;+x;+a), 
it holds that L? = bI with b = Y; 1/(xi + a). 


Proof. Observe that 


t 


1 1 1 
L? = x = = 
Lis 2 £j + Er +a PP cree 





For i = j, the result is clear. It suffices to prove that (L);,; = 0 for i 4 j. Since 
x; # £j fori £ j, we have g = x; + xj € G \ {0}. Finally, it holds that 


Wham E raTa Etes)" 

















A special case of T heorem [1] is discussed by Youssef et al. [?, §3.2]. For an 
extension F2(¢) D F2 of degree n, they show that the choice x; = pee taj ci} 
with d1,...,diog, + the binary digits of à — 1 results in a Cauchy matrix L such 
that L? = b?I for some b € F(¢). 


D Cost of the preimage attack from Section 


This section provides the details of the computational cost analysis of the preim- 
age attack on HADESMIMC from Section [6.2] In addition, the set of vulnerable 
parameters is determined. 

Recall that the cost of solving the system of equations using Grôbner basis 
techniques is dominated by two steps: 
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1. Computing a Grôbner basis with respect to a total degree term order such 
as the degree reverse lexicographic (degrevlex) order. For standard reduction 
algorithms such as Faugére’s F4 and F5, the time required for this step can 


be upper bounded by [?] 
D+k\* 
Tap ~ j (( D ) ) 


for k variables and with D an upper bound on the degree of the Grébner 
basis elements. Here, w is the asymptotic exponent of the time complexity 
of matrix multiplication. 

2. Converting the degrevlex Grébner basis to a Grôbner basis with respect to 
a lexicographic order. For the FGLM algorithm, the cost of this step can be 
estimated as [?] 


Tim = O(k dim(F,[x1, aoe ,tk]/T)*), 
where Z is the ideal corresponding the equations. 


The time required to factor the univariate polynomials in the lexicographic Grôb- 
ner basis can be assumed to be negligible. Hence, the time cost of the attack is 
dominated by gt (Tgp + Tigim)- 

To set up a system of preimage equations for HADESMIMC, two diametrical 
approaches may be considered. In the first strategy, one attempts to minimize the 
number of variables by setting up a system of high-degree polynomials relating 
the input and output of the permutation. In the second approach, intermediate 
variables are introduced at every round, leading to a system of many low-degree 
equations. The latter strategy is usually preferred, as it leads to a lower degree 
D. However, a routine calculation shows that reducing the number of variables 
is more important for the present attack. Hence, we opt for the former approach. 

Clearly, the Sbox layer of the first round may be ignored in the analysis. 
Furthermore, since the HADESMIMC design strategy states that the last linear 
layer can be omitted, the last round could also be ignored. Nevertheless, this is 
not the case for STARKAD and POSEIDON, so we do not take this into account 
in the analysis in Appendix D] 

For each guess of U2F (x), the outputs y1,...yx may be expressed directly as 
a polynomial in the input (after the first Sbox layer) of degree 3°"~!. In gen- 
eral, bounding D is highly nontrivial. However, for regular systems, Macaulay’s 
bound [?,?] yields 

D < (38 12 1)£+1. 


Furthermore, small-scale experiments suggest that this bound is tight for this 
particular system of equations. It is hard to obtain theoretical estimates of 
dim(F,fx1,...,æx]/T), but small-scale experiments suggest that it scales as ~ 
3k(Rr—1), which is consistent with recent results obtained by Faugére and Per- 
ret [?]. Since the FGLM algorithm is able to exploit sparse linear algebra meth- 
ods [?], it is reasonable to assume that Tigim S Teb- 
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Suppose that 3%*—! >> k. Following the reasoning in [?, §1.3], it holds that 
D-1\° k+D-1\” 
Te S7k(D- 38 (tt ) ea Le ) 


In the above, the parameters y and w are such that the computational cost of 
computing the row-reduced echelon form of an m x n matrix is ymn“. Stirling’s 
approximation yields the estimate 


k+D-—1 HAE 
oz ( bras ) = tos ( k ) = E + ke ~ 1) log — log V27F. 


It follows that 
Tzv < y Oni g2-w/2 e°* git et): 
assuming that computing the reduced row-echelon form of an m x n matrix takes 


time ymn”. As discussed above, the total computational cost of the attack is 


then at most 
2y (Qn) 7/2 p2-w/2 evk 3(wk+1)(Rr—-1) qo. (6) 


Suppose that 2y(2r)-*/2k2-%/2 < 3C for some absolute constant C. For the 
total cost (6) to be below the security level g™"t*:°/2} | it suffices that 


log; C+ Rr +wk(logs e + Rr — 1) + (t — d) log; q < min{k, c/2} logs q. 
Assuming q > 3“"F we deduce the following lower bound for k: 


p > Ea 9 log; q + Rr + logs C 
~ logs q — w (Rr + log; e-— 1) ` 








Since c = t — k we also obtain 
log; C+ Rr + k[w(logse + Rr — 1) + (logs q)/2] < (d — t/2) logs q. 
From this, we deduce the upper bound 


(d — t/2) logs q — Rr — logs C 
~ 1/2 log; q +w(Rr + logz e — 1) 





We conclude that the preimage attack improves over the g™{¢/2:*} security level 
whenever 

(t — d) log; q + Rr + log; C eRe (d — t/2) log; q — Rr — log; C 

log: q — w (Rp + loge — 1) T T 1/2 log; q +w(Rr + log; e-— 1)’ 








where C is a constant close to one. If k < 20, one can take C = 3. 
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